If you like, you can
email a consultant with your
question or suggestion.

Terms of Use

Sûnnet Beskerming Pty. Ltd. occasionally produces small reports that are for free (gratis)
distribution. The free content may cover any area that Sûnnet Beskerming operates in. Examples
may include generic security advice, specific security warnings, development practices, and application
tuning. The only caveat on reuse of information from this site is in accordance with the
following paragraph.

Use and reuse of information from this site requires written acknowledgement of the source for
printed materials, and a hyperlink to the parent
Sûnnet Beskerming page for online reproduction.
Content from this page can not be reused in a commercial context without negotiating an appropriate licence with the
site owner. Personal and educational use is granted without
additional restriction beyond an amount in accordance with the principle of "fair use". Fair judgement
is encouraged from site users as to what amounts to "fair use". Please contact
us if you reuse our content, so that we may be able to provide more specific advice when necessary to improve your
reproduction.

It's the Season - 24 December 2005

From all the staff here at Sûnnet Beskerming we wish all our readers a very merry Christmas and a happy New Year. We hope
that the security advice and reporting that we have provided to you this year has helped you avoid difficulties, and that it
is allowing you to have a peaceful break over the Christmas / New Year period. Before everyone can go and enjoy themselves
there are a few issues to have come up over the last few days which could impact over Christmas.

Firstly, Symantec and a number of other Information Security vendors have had vulnerabilities disclosed which could leave
systems open to complete compromise by remote attackers. In Symantec's case, almost the entire product line has been found
to be vulnerable to a flaw which can allow a remote hacker to execute code of their choice on systems running Symantec
software. Interestingly, this problem is cross-platform, affecting both Windows and Macintosh Symantec software with
similar results. In McAfee's case, their Security Centre and VirusScan software products can expose underlying systems
to remote attackers, with similar outcomes to the Symantec issues. While the Symantec flaws can be completely automated,
the McAfee flaw requires the victim to activate it, either by visiting a malicious website, or other vulnerable action. In
Symantec's defence, the filesize required to exploit this flaw is in the range of 50 MB.

Normally, Apple software doesn't attract a lot of attention from hackers, and so not a lot of security flaws tend to get
discovered. The past week has seen two different vulnerabilities discovered, affecting the QuickTime media player, iTunes,
and the OS X Operating System. The first flaw, which affects QuickTime and iTunes, leads to a Denial of Service against
the software and is launched by opening a malicious .mov media file. While the original discoverer has claimed that
arbitrary code execution is possible, there is no indication that this is the case (at this time). This flaw affects
both the OS X and Windows versions of the software. The second flaw affects the OS X Operating System itself. In
this case, malformed HTML input will cause the KHTMLParser to crash, bringing down vulnerable applications with it.
It is known to affect Safari and TextEdit at this stage, but any application which relies upon the inbuilt KTMLParser
to render HTML content is likely to be vulnerable. The discoverer of this flaw, who also discovered the QuickTime /
iTunes flaw, claims that arbitrary code execution is possible, but again there is no indication that this is the case
(at this time).

The timing for public release of this information seems suspect, especially the claims of arbitrary code execution and the
lack of a timeline which indicates when Apple were notified of the problems. While the vulnerabilities are certainly real,
it is probable that a patch will be delayed due to the Christmas / New Year holiday period. Concerned users should be
careful about accepting QuickTime media files from untrusted sources (for the first vulnerability), and about visiting
potentially malicious / untrusted websites (for the second vulnerability), lest their application suddenly shut down.

Website applications are not escaping the attention of hackers over the Christmas period, either. It is suspected that
many of the most active and prolific website defacers are secondary or tertiary students, and the increase in defacement
activity seems to correlate with school holiday periods, with significant reductions during exam seasons. Turkish based
hacking groups appear to have become very active over the last couple of weeks, with some fairly significant attacks
taking place during that time period. Not only are single sites being targeted, but servers which host multiple sites
are being attacked with increasing frequency. To aid the defacement and other attacking efforts, a number of
vulnerabilities have been discovered over the last couple of weeks in a range of common Internet software packages.
These vulnerabilities are already seeing fairly rapid deployment, with a number of sites running the Mambo Content
Management System in particular being targeted over recent days.

The company behind leading law enforcement forensic software EnCase, amongst other titles, has released a statement
admitting that they were recently compromised in an attack which allowed the attackers access to financial and personnel
data connected to thousands of law enforcement personnel and security professionals. The attack was first discovered on
December 7, and it is believed that the incident took place at some stage in November. While normal identity theft
cases can net valuable information, the perceived level of compromise, and the specific industry groupings covered, would
mean that this particular security breach could have some significant long term effects. It is reported that the US
Secret Service has become involved in investigating the breach.

Microsoft's Internet Explorer web browser for the Macintosh Operating System was frozen at version 5 a couple of years
ago when active development ceased in response to the emergence of Safari. All support for the application will be
ceased as of December 31, 2005, and it will no longer be included for distribution from January, 2006. While this move
is not unexpected, it has been some time since Internet Explorer was the default web browser installed on Apple
Operating Systems (it was always installed, or was on the installation disks, just not the system default browser).
While not a complete reproduction of the Windows version of the software, it did make for a useful testing and
development tool for Web designers and other Internet professionals, as well as providing a fall back for sites which
refused to display in other browsers.

IBM's once flagship Operating System, OS/2, has also reached the end of its lifespan, with all support for the product
being withdrawn as of December 23.

Little Compositions - 19 December 2005

This week has seen quite a number of smaller news articles come to surface, many being follow ups to stories that gained
prominence earlier in the year, including spear phishing, Chinese state sponsored hackers and more.

In one of the most recent cases where spear phishing has been the claimed, at least one minor US financial institution
had their internal systems specifically targeted by remote attackers. Separating this case from the normal range of
phishing attacks was the fact that it appeared targeted to employees of the institution, and attempted to compromise
their work systems for purposes unknown (although a good guess would be for compromise of account holder account details).
The case is now under investigation by the authorities, but it is interesting from the point of view that it has been
reported by the media as a case of spear phishing.

A story which evolved along similar lines, saw a charity in the United Kingdom find themselves the victim of a compromise
which resulted in the theft of the personal details and financial contribution data from a large number of their donors.
This information was rapidly turned around for active exploitation, with a number of the donors being contacted by the
hackers, who were claiming to represent the charity, and seeking further donations from them. Others had accounts with
various financial institutions accessed and modified.

Since the public notification of the breach, the website for the affected charity has been shut down. A comment from the
head of the UK Charity Commission suggests that there is a lack of understanding of the threats to online financial
transactions, at the highest levels of the Commission. Essentially, he claimed that the use of SSL to protect information
in transfer between the donor and the charity should be sufficient security for protection of information, which
conveniently ignores the risk posed by insecure storage of sensitive information on the server. The Executive did follow
up this claim with a later statement that charities and other companies with an online presence should ensure they have
some form of security on their sites.

The bad news didn't end there for the UK, with reporting that the suspected fraud perpetrated through an HM Revenues &
Customs tax credit portal was far more extensive than originally thought. Initially disclosed at the start of December,
when the portal was taken off-line, it was thought at that time that up to 1,500 call centre workers had their identities and
financial details stolen, with a number being used for fraudulent claims through the tax portal. Continuing investigation
work has discovered that the number of compromised people may be up to 13,000, with the total fraud perpetrated in the
millions of pounds. Most fraudulent claims appear to have been limited to less than a thousand pounds, possibly in an
effort to avoid automated and manual scanning systems.

Following the recent fuel storage explosion and fires in England, a number of large electronics retailers and Information
Technology firms were directly affected, and had the chance to implement their disaster plans (if they had them). One
of the major electronics retailers in England had their headquarters essentially destroyed, but the quick implementation
of their disaster recovery plan meant that they were able to resume operations from a secondary location, with minimal
disruption to their services. It is feared that a number of smaller (and even some larger) companies will not be able
to cope with the stress and system disruption caused by the damage to their information infrastructure, and will go out
of business as a result.

Elsewhere in the World, and hacking for National Interests has grabbed minor headlines for a number of incidents. The
'Titan Rain' set of incidents, where it is claimed that State-sponsored hackers from China were actively exploiting
semi-sensitive networks and systems in the USA, have grabbed more exposure from Western news sources. To counter the
negative press being generated, the Chinese Foreign Ministry released a statement that the Chinese Government is not
involved in any hacking of the USA, and they have called for evidence to be released which shows the links between the
attacks and the Chinese Government.

Minor hacking and web-defacement conflicts have also been taking place between Chile and Peru, and India and Pakistan.
While it is unlikely that these cases involve any state sponsored efforts, the hacking can be considered a proxy front
for the national interests being tussled over in the real world. Internal hacking efforts have also resulted in the
complete shutdown of a government-sponsored television station in Russia. The new station, Russia Today, has admitted
that they were forced to cease transmission of their programs due to a particularly nasty attack from a hacker, or
hackers unknown. Broadcast of content has been ceased until the attack can be defeated.

There were also a small number of significant malware events which affect a wide range of systems. Not wanting to be
outdone by Sober, the creators behind the Bagle / Beagle family of email worms have released the next variant, which
appears to be a much more active attacking worm than previous versions. Most Anti-virus companies should have updated
definitions files by now to deal with this latest worm. While this particular worm is spreading, it appears that Sober
is beginning to have some fairly serious effects. Users of Microsoft's Hotmail and MSN email services may be unable to
receive emails (or have them excessively delayed) from an unspecified number of external ISPs. A spokesperson for
Microsoft claims that the issues are related to the increase in traffic caused by the Sober email worm.

A new exploit was released which targets the MSDTC vulnerabilities fixed in the MS05-051 security patch released in
October this year. Dubbed Dasher, the current versions in the wild link back to key loggers and other nasty software
in an effort to extract useful information from the infected end users. An initial, crippled, version was sent to the
major Anti-virus companies earlier in the week, for reasons that are currently unknown. While the patch from Microsoft
will completely block the exploitation route the worm is using, there have been reports that the patch has caused
problems for some users, and so not all vulnerable systems may have been patched.

Finally, the possession of Plasticine may soon be regarded as suspicious (there goes the Kindergarten and ChildCare
industry) following revelations that it may be used to bypass biometric authentication systems such as fingerprint
readers. Laboratory testing has discovered that, 90% of the time, biometric systems could be confused and bypassed by
such simple means as the use of plasticine. The high failure rate should be a cause for concern, and the fact it isn't
mentioned by the vendors could be leading clients to have a misplaced sense of trust in their authentication systems,
and can make well-designed multiple factor authentication systems become single factor authentication. At the least, it
appears to be driving a number of the vendors to improve their products to be better protected against such simple
attacks.

Of Disaster and Online Terror - 12 December 2005

As the Christmas and New Year period arrives again for another year, it is time to consider how you may be leaving your
Information Technology infrastructure over the holiday period. From disaster recovery plans in the case of catastrophic
system failure, through to inadvertent information leakage it is important to be prepared.

While major natural disasters are relatively infrequent, their destructive effects are fairly uniform across a
large area. This means that if your recovery plans rely upon immediate response by third party agencies, then they
may not have the opportunity to respond to your needs as you have planned. The infrequency of disasters is not a
good enough argument against not planning for them to affect your infrastructure this holiday period. The South
Asian tsunami and Canberra bush fires are two fairly recent examples of disasters to hit close to this time of year.

While not a natural disaster, the sudden catastrophic failure of IT infrastructure can be devastating, and it is
something that many businesses are not able to recover from. Just in the last several days, Sûnnet Beskerming
staff witnessed a company experience sudden and complete infrastructure failure, yet be able to recover within
minutes, to the point that the sum data loss across the company was two lines of unsaved text in a text editor.

The failure struck just as the company had commenced daily operations, and their systems were loaded with the maximum
amount of data for daily processing. In their recovery plan, the company had steps to handle situations such as
this, and were able to fully recover the information that was held on the systems, and were confident that, if they
were given more time, they would have recovered the unsaved text as well. The loss of productivity was only on the
order of a couple of hours to the end users as alternative systems were brought online.

The above company was not lucky, just well prepared, although with the current general state of IT management, the
two seem to be interchangeable.

At the other end of the disaster scale, planning needs to take into effect what happens as personnel depart for
leave, travel or holidays, and what their systems will be doing during this period. Already a number of security
mailing lists are publicly calling for people not to turn on automatic out-of-office reply features in their email
clients as they can get replicated onto the mailing lists, providing the hackers who read them useful information
about the whereabouts of key security personnel for various companies. It also makes their hacking efforts that
much easier, as the company being targeted already knows that the person the hacker is pretending to be is not in
the office.

Even without the holiday increase in hacking efforts by the lower skilled hackers (script kiddies), the ongoing
research into software vulnerabilities sometimes causes a problem when the discoverers decide that they want some
public recognition for their efforts. Last week, an auction appeared on eBay which claimed to be for the sale of a
'0-day' exploit for Microsoft Office's Excel spreadsheet software. As expected, eBay rapidly pulled the auction off
the site, but the existence of it sparked some interesting arguments amongst security specialists as they argued
over the ethical issues raised by such a move.

While the act of selling an exploit for software can be considered ethically dubious, there are a number of higher
profiled Information Security companies which do trade in such exploits, ideally acting as a conduit between the
software vendor and the hacker, for financial compensation to both. This apparent hypocrisy only furthers the
perception of the Information Security industry being filled with snake oil salesmen.

As to the nature of the Excel exploit, no one is completely sure, although the eBay lister suggested that Microsoft
agreed that it was a real vulnerability which had been discovered. At least one other researcher has hinted at having
possession of an exploit against Excel which can lead to the compromise of a vulnerable system, but it is not known
whether Microsoft have verified that particular case.

The bickering continued, following the announcement that the Sober email worm would automatically self-update on the
5th of January, 2006. One company (which is one of the companies involved in the trading of newly discovered exploits
for money, and is one of the more 'respected' names in Information Security), claimed that it is to activate a mass
attack of some form (possibly spam) to commemorate the 87th anniversary of the founding of the German Nazi party.
While the 87th anniversary of any event is an odd one to celebrate, at least part of the justification is based on
previous iterations of the worm being used to distribute neo-nazi spam.

Not only have the claims of this company been questioned, but also the intent of the company which claimed to have
discovered the self-updating feature. While disclosure of information such as this is important for administrators to
be able to better defend their (infected) systems, an administrator who would take action on this information would have
already ensured their systems were cleaned of infection, and subsequently protected. At the least, it has tipped the
developer of the worm off that the internals of their worm have been cracked, and the Security world will be watching with
interest come January 5.

Online attacks have also gained extra attention this past week, with the BBC reporting at the start of the week on a call
from a group of Islamic militants who were seeking to have a presence established on the Internet so that they could
distribute information to the world about their activities and military actions. As part of the compensation for the
budding web designer is a promise that the designer would get the chance to remotely launch a rocket attack against a US
base in Iraq, using newly developed Internet-controlled rockets.

While this, and other activity by militant groups, is not normally identified by the mainstream media or Information
Security groups as being an issue, the transcript from an informal round-table on the threat of online terror attacks has
been published on the Internet, and it has drawn a range of very polarised responses - arguing for and against the threat
of online attacks. The round-table itself appeared to be inconclusive, with more argument about how attacks can be
defined than actually about the threat posed by external attackers.

The few nuggets of useful information that were thrown up suggest that the US, at the least, is concerned about what is
known as an asymmetric threat, whereby one attacker, or a few, can create damage far beyond what their size would suggest
(e.g. one person taking out the power infrastructure for the country). Some of the other information suggests that there
are numerous critical infrastructure systems in the US which are reachable, and thus attackable, from the Internet,
including important utilities such as electricity, gas, and water supplies for major metropolitan centres.

What did seem apparent from the transcript was the significant difficulties that are encountered when trying to get
technical people to consider the military and national interest strategic consequences of technical vulnerabilities and
system exposure, and those difficulties encountered when getting strategic planners and thinkers (military and national
interest) to adequately understand the technical nature of the threats being discussed.

Even minor attacks such as web defacements can be seen by some as a terror threat. The recent defacement of the Australian
Capital Territory Chief Minister's website was reported as being a targeted attack against the Chief Minister (which it
wasn't), while the recent defacement of the National E-Health Transition Authority (NEHTA) was not widely reported (if at
all), but probably is of more concern. NEHTA has been established for the purposes of enabling the Commonwealth and State
and Territory governments to develop better ways of electronically collecting and securely exchanging health information,
and the inability to secure their Internet presence does not instill a lot of confidence in their claimed focus on the
security of electronic health information.

At the very least, even if the threat of online terror attacks is not a credible one, it does not mean that security can
not be improved on the systems currently connected to the Internet, and those which are not meant to be.

Disturbingly, the discussion on online terror attracted enough apparently independent comments about various military
and other sensitive infrastructure networks (primarily US) to imply that there are definitely electronic connections to
the greater Internet from systems up to and including the US Top Secret level, with varying levels of ease of connection
to those systems.

To protect the US, it looks like the US Air Force is going to step up and do it. At least, that's according to their
recently released mission statement:

The mission of the United States Air Force is to deliver sovereign options for the defense of the United States of
America and its global interests -- to fly and fight in Air, Space, and Cyberspace.

Little Bits and Pieces - 05 December 2005

The ongoing issue with the recent Internet Explorer arbitrary code execution vulnerability continues to worsen, with
active exploitation by at least one new system worm. There is some speculation that Microsoft will be issuing an
out-of-cycle patch for the Internet Explorer issue, although their scheduled monthly patch release is set for December
13.

The argument for the out-of-cycle patch is that Microsoft have known about the root flaw that allows the code
execution for at least six months, and the criticality of the developed vulnerability; while the argument against an
out-of-cycle patch is that some regard the issue to be a design error which would require a significant overhaul of
the Internet Explorer code base in order to correct the flaw. Whichever way it turns out, it is essential that
users of Internet Explorer apply whatever patches are made available, as soon as they are released.

Although not as critical as the Internet Explorer flaw, exploit code has been published for recently patched
vulnerabilities, those patched by MS05-051 and MS05-053. A fully updated system will not be vulnerable to exploits
developed from the sample code, but it should be a reminder to those who have not patched their systems that they
should expedite the process. The sample exploit code would result in Denial of Service style attacks against
vulnerable systems.

While fairly active attention was focussed on active and patched vulnerabilities in Microsoft products, Apple Computer
released their latest security patch for their OS X Operating Systems. Released for their 10.3 and 10.4 product lines,
the Security Update 2005-009 release fixes a number of fairly serious, and not so serious, vulnerabilities in included
third party software and some core components of the Operating System. While most of the third party vulnerabilities,
such as those affecting the Apache web server, were previously known about, the serious core Operating System
vulnerabilities were not. Either Apple were able to encourage the discoverers to keep quiet about their discoveries,
or they were discovered in house. Irrespective of the reason, it is an interesting difference to the way that recent
Microsoft vulnerabilities have been disclosed and handled.

The news isn't all good for Apple, however, with initial reporting of vulnerabilities leading to arbitrary code
execution through QuickTime, at least for the Windows implementation, for the most recent versions. The last update
for QuickTime was to fix another arbitrary code execution issue, and it is not known whether the new claimed
vulnerability is related in any way to the fixed vulnerability.

Also from previous weeks, and the high profile recent variants of the Sober email worm have started to include the
UK National High Tech Crime Unit (NHTCU) as one of the spoofed senders, joining the FBI, CIA and other agencies as
spoofed From: addressers. With less than a calendar month remaining in the year, it will take a fairly significant
effort from another email-based worm to displace the latest Sober variants from the title of most significant
email-based worm for 2005.

Amongst other movement in the so-called hacker 'underground' recently, European security firm, Zone-h, apparently
found itself the victim of an online defamation. At some stage in the previous couple of weeks, a Google Groups
group was established with the name 'Zone-h The Internet Thermometer', which is a phrase Zone-h does use to describe
themselves. Rather than providing discussion ground for security news and efforts, the group appeared to be used
for the solicitation and trade of hacking services. Zone-h (the real one) has issued a press release publicly
denying any involvement with hacking services, offers for hacking, and other illegal activities promoted through
the group.

It now appears that several members of the Google Groups group took advantage of a slip in moderation to redirect
the focus of the group, and at least one Zone-h moderator has re-appeared to take back control of the group.

Researchers who are investigating weaknesses in common cryptographic hashing functions (one-way encryption which is
commonly used for validating integrity of files and protecting passwords in applications) have released further
samples of collisions (two different original samples producing the same encrypted result) under a range of common
functions. While the presence of collisions has been known for some time, it was believed that generating products
that collide under multiple hashing algorithms at the same time was practically improbable.

The released samples now include eight files with the same MD5 hash and two Windows executables with the same MD5
hash, the same CRC32, the same checksum 32, and the same checksum 16. While it is still practically improbable for
any useful exploitation of the collisions found (i.e. starting with an arbitrary original file / content and then
modifying it in a meaningful way), it does bring it another step closer and does show that multiple hash algorithm
collisions can exist for the same content.

Finally, a fairly serious vulnerability was disclosed in a range of Cisco IOS versions, which could provide a remote
attacker with complete control over vulnerable networking hardware. Designed to take advantage of the web server that
is included with latter versions of IOS, the vulnerability, and published exploit code, makes use of functions that
dump the memory of the networking device for an administrator to review.

By being able to inject arbitrary commands into the network traffic which the device then retains in memory, it was
discovered that the commands would be executed if the administrator ran the appropriate scripts. What prevents this
from being a massive problem is that the web server feature of the vulnerable IOS versions is not enabled by default,
and the known attack is limited to a small set of specific scripts. The other downside, in addition to compromising
targeted hardware, is that the attack can compromise all networking devices it passes through en route to the
targeted device. provided that they have the same feature enabled.

Cisco have not been able to release a patch for this issue, and their current advice is for affected users to
disable the web server.